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Chapter  1.  Case  Study  of  Agent-based  Information  Security  System: 

Conceptual  Model,  Architecture,  Software  Implementation  and 
Simulation 
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1.7.  Technology  of  the  Case  Study  Development  and  Implementation 
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F/r.st  Stage.  Development  of  the  System  Kernel. 


1.  Designation  of  the  agent  classes  of  the  Case  Study 
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Second  Stage:  Cloning  of  the  software  security  agents 
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1.9.  Conclusion  of  Chapter  1 
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Chapter  2.  Results  of  Research  on  Digital  Image  Steganography 
Approach,  Techniques,  Implementation  and  Simulation 


Abstract. 

This  Chapter  outlines  concisely  the  main  steganography  oriented  results  of  the  Project.  These 
results  are  twofold.  The  first  result  is  the  development  of  a  new  approach  to  transparent 
embedding  data  into  digital  images.  This  approach  is  capable  to  provide  a  tradeoff  between 
high  rate  of  the  embedded  data  and  robustness  to  common  and  some  intentional  distortions,  in 
particular,  to  JPEG  compression.  The  developed  technique  makes  use  the  properties  of  the 
singular  value  decomposition  (SVD)  of  a  digital  image.  According  to  these  properties  each 
singular  value  specifies  the  luminance  of  the  SVD  image  layer,  whereas  the  respective  pair  of 
singular  vectors  specifies  image  geometry.  Therefore  slight  variations  of  singular  values  cannot 
influence  visibly  on  the  cover  image  quality.  The  idea  of  the  proposed  approach  is  to  embed  a 
bit  of  data  through  slight  modifications  of  singular  values  of  a  small  block  of  the  segmented 
covers.  The  approach  is  robust  because  it  supposes  to  embed  extra  data  into  low  bands  of 
covers  in  a  distributed  way.  The  size  of  small  blocks  is  used  as  an  attribute  to  achieve  a 
tradeoff  between  the  embedded  data  rate  and  robustness  as  required  by  the  application.  An 
advantage  of  the  approach  is  that  it  is  blind.  Simulation  has  proved  its  robustness  to  JPEG 
compression  up  to  40%.  The  approach  can  be  used  both  for  hidden  communication  and 
watermarking. 

The  second  result  is  the  development  of  the  format  for  compressed  representation  of  digital 
images  to  be  embedded  into  cover  one.  The  idea  of  compression  is  based  on  using  SVD  of 
image  color  matrices.  SVD  makes  it  possible  to  represent  an  image  as  a  partial  sum  of  the  most 
significant  layers  corresponding  to  the  largest  singular  values.  This  idea  is  applied  to  each 
small  block  of  the  segmented  image.  The  developed  format  is  capable  to  provide  compression 
up  to  2  bit/pixel.  Combined  with  the  developed  technique  for  hiding  data  in  digital  images,  it 
makes  possible  robust  embedding  digital  image  into  a  cover  one. 

All  theoretical  results  are  validated  using  thorough  simulation  on  the  basis  of  the  developed 
software. 

The  detailed  description  of  the  aforementioned  results  can  be  found  in  [IntRep#l],  [IntRep#2] 
[IntRep#3]  and  [FinRep#l], 

2.1.  Introduction:  Overview  of  the  Results  Presented  in  Previous  Reports. 

Transparent  hiding  data  into  digital  images  called  "digital  image  steganography"  (DIS) 
presents  an  effective  way  for  secret  communication,  watermarking  and  other  applications. 
Although  DIS  is  a  quite  new  field  of  research,  development  of  the  Internet  digital  media  and 
practical  needs  stimulated  recent  rapid  progress  in  this  field.  Steganography  by  itself  aims  to 
conceal  the  very  existence  of  the  fact  of  communication.  Combined  with  an  encryption, 
steganography  provides  a  higher  level  of  the  communication  secrecy. 

Currently  this  field  is  a  subject  of  the  intensive  research.  A  number  of  techniques  for  DIS 
and  watermarking  have  been  developed  during  the  last  five  years.  In  the  Interim  Report  #1 
[IntRep#l]  the  thorough  overview  of  the  state-of-the-art  in  DIS  and  watermarking  areas  were 
given.  In  this  overview  the  steganography  problems  were  analyzed  in  many  respects.  In  particular, 
there  were  analyzed  the  terminology,  classification  of  the  embedding  schemes,  application-oriented 
classification  of  the  embedding  tasks  and  the  respective  common  and  particular  requirements  to 
image-based  embedding  techniques,  general  classification  and  overview  of  the  developed 
approaches  for  hiding  information  in  images.  Let  us  summarize  in  brief  the  main  results  of  this 
phase  of  the  research. 

According  to  the  commonly  accepted  classification,  the  proposed  DIS  techniques  can  be 
classified  as  follows: 
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•  Techniques  that  utilize  a  spatial  domain.  To  insert  data  into  an  image,  they  use  a  selected  subset 
of  the  image  pixels1  using  a  bit-wise  approach  ([Bender  et  al-9 ],  [Bruyndonckx  et  al-95],  [Chen 
et  al- 99],  [Machado],  [Matsui  et  cv/-98],  [Pitas  et  al- 96],  [Tanaka  et  a/-90],  [van  Schydel  et  al- 
94],  etc.). 

•  Transform-based  techniques,  that  operate  with  images  represented  by  a  finite  set  of  orthogonal 
or  bi-orthogonal  functions  called  “basis  functions”  ([Burget  et  al],  [Kundur  et  al-91],  [Piva  et  al- 
97],  [Podilchuck  et  c/1-97],  [Smith  et  al- 96],  [Xia  et  al-97],  [Zhu  et  al-95],  etc.).  Examples  are 
Discrete  Cosine  Transform,  and  Wavelet  transform. 

•  Fractal-based  techniques  that  construct  "fractal  code"  of  an  image  in  such  a  way  that  allows  to 
encode  both  the  cover  and  the  hidden  images  ([Puate  et  al-]). 

More  information  on  this  subject  can  be  found  in  [Cox  et  al-97],  [Johnson  et  al- 98],  [Johnson  et  al- 
00],  [Katzenbeisser  et  al- 00],  [Petitcolas  et  al- 99],  and  [Swanson  et  al  98], 

The  common  opinion  is  that  there  is  no  particular  superior  technique.  Each  technique  has 
each  own  merit  and  flaws  and  preferable  application  area. 

[IntRep#l]  describes  detailed  classification  of  general  and  particular  requirements  to  DIS 
techniques.  In  general,  the  major  requirements  to  any  DIS  technique  are  assuring  invisibility  of  the 
hidden  data,  robustness  to  common  and  some  types  of  intentional  distortions  and  support  a  required 
rate  of  the  hidden  data.  Since  these  requirements  are  conflicting,  and  concrete  requirements  are 
different  for  different  application  areas,  the  rational  tradeoff  depends  on  any  particular  application 
([Petitcolas  et  al- 98]). 

Unfortunately,  the  majority  of  the  techniques  used  for  hiding  data  into  digital  images,  known 
in  the  literature  and  implemented  within  commercial  and  research  software  tools  are  vulnerable  to 
common  signal  processing  and  to  intentional  attacks  involving  distortions  of  sub-perceptual  level. 
Many  of  the  embedding  systems  provide  a  limited  robustness  against  attacks.  It  was  proved  by 
employing  software  tools  simulating  such  attacks,  for  example  such  tools  as  StirMark,  Unzign,  and 
The  Mosaic  attack  emulator. 

The  lessons  learnt  by  researchers  on  the  basis  of  analysis  of  properties,  advantages  and 
disadvantages  of  the  existing  digital  image  steganography  techniques  are  as  follows  [Petitcolas  et 
a/-98]: 

1.  Information  hiding  algorithms  that  attempt  to  meet  all  the  accepted  requirements  to  a 
steganography  task  solution  would  fail.  There  is  no  a  superior  solution  applicable  to  all  DIS  tasks. 
Each  solution  must  be  based  on  a  tradeoff  depending  on  application,  for  example,  robustness  versus 
bandwidth  and  accessible  rate  of  information  to  hide.  It  is  quite  definitely  that  the  most  real-life 
applications  do  not  need  to  meet  all  requirements,  to  be  robust  to  all  kinds  of  distortions  and  to  be 
resistant  against  all  known  and  future  types  of  attacks.  For,  possibly,  every  application  one  can 
find  a  technique  that  more  or  less  meet  the  basic  requirements,  that  more  or  less  feasible. 

2.  Real  problems  are  not  only  to  insert  and  detect  hidden  data.  According  to  [Petitcolas  et  al- 
98],  the  progress  will  come  not  just  from  devising  new  marking  schemes,  but  in  developing  ways  to 
recognize  hidden  data  that  have  been  embedded  using  obvious  combinations  of  statistical  and 
transform  techniques  and  thereafter  subjected  to  distortion. 

3.  It  is  common  opinion  that  steganography  would  go  through  the  same  process  of 
evolutionary  development  as  cryptography,  with  an  iterative  process  in  which  inventing  new  types 
of  attacks  will  lead  to  the  development  of  more  robust  systems  [Petitcolas  et  cv/-98]. 

The  above  conclusions  determined  the  basic  objectives  of  the  steganography -oriented 
research  of  the  Project.  Indeed,  the  study  of  the  state-of-the-art  in  the  DIS  area  exhibited  that  the 
majority  of  the  developed  techniques  aims  at  solving  the  watermarking  problem  in  which  the  most 
significant  requirement  is  robustness  to  a  wide  range  of  distortions  whereas  high  allowable  rate  of 
covertly  embedded  data  is  not  an  issue.  That  is  why  many  existing  approaches  do  not  pay  a 
noteworthy  attention  to  the  development  of  techniques  capable  to  provide  high  rate  of  the  invisibly 
embedded  data  and  robustness,  for  example,  to  lossy  compression  like  JPEG.  Indeed,  the  only  well- 


1  For  example,  using  masking  effect,  or  using  a  pseudo-random  seeding  or  something  other  strategy. 
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known  approach  that  could  be  used  to  embed  an  image  into  the  cover  one  is  embedding  data  into 
Least  Significant  Bit  called  as  LSBs  approach.  One  of  such  techniques  was  proposed  in  [Fridrich  et 
cil- 99].  It  uses  segmentation  of  the  image  to  be  embedded  into  blocks  of  size  8x8,  applying  DCT 
transform  to  each  block,  quantizing  and  encoding  its  coefficients  and  embedding  each  coded  block 
into  one  or  into  two  LSBs  of  the  cover  image.  Unfortunately,  such  and  similar  techniques  cannot 
provide  robustness  and  are  highly  sensitive  to  many  common  distortions,  image  format 
transformations  and  JPEG  compression. 

However,  many  military  and  industrial  applications,  such  as  hidden  communication  (HC) 
and  hidden  transmission  of  digital  images  call  for  transparent  and  robust  embedding  of  high 
volumes  of  data.  Examples  are  transmission  of  top-secret  projects,  industry  secret,  plans  of  covert 
operations  [Johnson  et  «/-98],  etc.  An  important  aspect  of  HC  is  the  necessity  to  support  the 
survivability  of  the  transmitted  information. 

Due  to  the  theoretical  limitations  it  is  not  possible  to  provide  both  high  robustness  and  high 
rate  of  the  transparently  embedded  data  [Anderson  et  cv/-98].  Nevertheless,  it  is  highly  necessary  to 
develop  an  approach  that  should  be  able  to  provide  for  the  high  rate  of  the  transparently  embedded 
data  preserving  a  reasonable  robustness. 

Two  ideas  were  chosen  in  the  development  of  such  an  approach.  The  first  of  them  is  the 
development  of  a  new  robust  method  for  embedding  data  into  digital  images  and  the  second  one  is 
the  development  a  format  for  compressed  representation  of  the  digital  image  to  be  embedded  into 
cover  one.  Both  these  ideas  were  the  subjects  of  the  research  during  the  second  and  sequential 
phases  of  the  work. 

This  research  resulted  in  the  development  of  a  new  approach  to  the  transparent  embedding 
data  into  digital  images,  which  was  described  in  [FinRep#l],  [Gorodetski3  et  c/Z-OO]  and 
[Gorodetski4  et  cil- 00]).  The  developed  approach  can  be  classified  as  a  "Transform-based"  because 
it  deals  with  the  image  transformed  to  the  Singular  Value  Decomposition  (SVD).  The  developed 
method  uses  the  properties  of  SVD  of  a  digital  image.  According  to  these  properties,  each  singular 
value  (SV)  specifies  the  luminance  (energy)  of  the  SVD  image  layer,  whereas  the  respective  pair  of 
singular  vectors  specifies  the  image  geometry.  Therefore,  slight  variations  of  SVs  cannot  affect  the 
visual  perception  of  the  quality  of  the  cover  image.  The  proposed  approach  is  based  on  the 
embedding  of  data  through  slight  modifications  of  SVs  of  a  small  block  of  the  segmented  cover 
image.  The  approach  is  potentially  robust  because  it  embeds  extra  data  into  low  bands  of  the  cover 
image  in  a  distributed  way.  The  size  of  small  blocks  can  be  used  as  an  attribute  to  achieve  a 
tradeoff  between  the  embedded  data  rate  and  robustness.  An  additional  advantage  of  the  approach 
is  that  it  is  blind,  i.e.  it  allows  extracting  hidden  information  without  using  of  the  original  cover 
image.  Below  in  following  sections  the  developed  approach  to  embedding  data  into  digital  images 
is  described  in  more  details. 

The  second  idea  resulted  in  the  development  of  the  new  format  for  the  compressed 
representation  of  digital  images.  This  format  is  implemented  and  explored  in  details  via  simulation 
([IntRep#2],  [Gorodetski3  et  al- 00],  [Gorodetski4  et  «/-00]).  The  approach  is  based  on  using 
singular  value  decomposition  (SVD)  of  every  image  color  matrices.  SVD  makes  it  possible  to 
represent  an  image  as  a  partial  sum  of  the  most  significant  layers  corresponding  to  the  largest 
singular  values.  The  idea  of  such  compression  is  that  contribution  of  each  i-th  layer  into  forming  of 
the  original  image  is  proportional  to  /l, ,  since  singular  vectors  are  normalized.  That  is  why 

potentially  it  is  possible  to  delete  the  layers  corresponding  to  the  small  singular  values  without 
noticeable  degradation  of  the  resulting  image  as  compared  with  the  original  one.  Extended 
simulation  confirmed  that  this  guesswork  is  valid  for  preserving  no  more  than  25%  of  the  most 
significant  layers 

The  aforementioned  idea  was  used  for  the  development  of  a  new  image  compressed  format 
for  compressed  image  coding.  It  makes  use  of 

(1)  a  number  of  the  MSLs  determined  according  to  a  simple  formal  criterion  and  validated 

through  simulation, 
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(2)  segmentation  of  the  image  into  small  blocks  of  a  size  depending  on  the  required  data  bit  rate 

to  be  embedded  and  required  quality  of  the  target  image  after  decompression, 

(3)  special  quantization  and 

(4)  optimal  encoding  of  singular  vectors  of  the  preserved  MSLs. 

Simulation  proved  that  this  format  can  provide  less  than  2  bpp  data  rate  while  preserving 
needed  quality  of  the  restored  image.  Although  the  last  result  can  be  thought  as  in  some  sense  aside 
as  compared  with  the  Project  objectives,  nevertheless,  while  combining  with  the  developed  SVD- 
based  approach  for  hiding  data  in  digital  images,  it  allows  to  embed  robustly  a  digital  image  into  a 
cover  one.  To  our  knowledge,  there  are  no  other  methods  that  are  capable  to  embed  a  digital  image 
into  a  cover  one  in  a  way  that  provide  robustness  to  the  JPEG  compression. 

The  rest  of  the  chapter  is  devoted  to  the  description  of  the  developed  SVD-based  method  of 
hiding  data  into  digital  images.  In  Section  2.2  the  concept  of  the  proposed  approach  is  explained.  In 
Section  2.3  the  developed  techniques  of  data  hiding  are  described  and  the  results  of  a  simulation- 
based  study,  focused  on  the  robustness  issue  as  well  as  on  embedded  data  rate  are  outlined.  The 
developed  technique  is  illustrated  by  several  examples.  In  conclusion  a  general  assessment  of  the 
results  is  given. 

2.2.  Mathematical  Basis  of  the  Developed  Techniques  for  Hiding  Data  into  Digital 
Images:  Singular  Value  Decomposition  of  Digital  Images 

A  digital  image  in  bitmap  format  is  specified  by  a  mxti  matrix  A  =  {at  j  }m  n .  If  an  image  is 
represented  in  RGB  format  then  it  is  specified  by  three  such  matrices  AR  ,  Ac  and  A  B  . 

An  arbitrary  matrix  A  of  size  mxn  can  be  represented  by  its  SVD  ([Horn  et  al])  in  the  form 

A  =  XAYT  =  yi=rX.X.YT  (!) 

where  X,  Y  are  orthogonal  mxm  and  nxn  matrices  respectively,  Xx ,  X2 ,...,  X m  and  F, ,  Y2 ,...,  Yn 
are  their  columns,  is  diagonal  matrix  with  non-negative  elements,  and  r  <  min{  m ,  n }  is  the 
rank  of  the  matrix  A.  Diagonal  terms  A, ,  A2 ,...,  A(.  of  matrix  are  called  singular  values  (SV )  of 
the  matrix  A  and  r  is  the  total  number  of  non-zero  singular  values.  Columns  of  the  matrices  X,  F 
are  called  left  and  right  singular  vectors  of  the  matrix  A  respectively.  Singular  values  A, ,  A2 ,...,  Ar 

can  be  calculated  as  A,  = ->Jif  i=l,2,..„r,  where  /li  is  an  eigenvalue  of  the  matrix  A  A 1  ,  or 
AT  A  .  The  left  singular  vector  X  j ,  i  =  1,2,...,  r,  is  equal  to  the  eigenvector  of  the  matrix  A  A1 
corresponding  to  /di .  Similarly,  the  right  singular  vector  Yf,  /=  l,2,...,r ,  is  equal  to  the  eigenvector 

of  the  matrix  A1  A  that  corresponds  to  its  eigenvalue  fLi.  If  an  image  is  given  in  RGB  format  then 
it  is  represented  by  three  SVDs  in  the  form  (1). 

Thus,  SVD  of  an  image  decomposes  the  respective  matrix  into  layers  A,  X ,  F,7  , 

A2  X  2Y2  As  X  rYj  .  As  a  rule,  SVs  are  enumerated  in  descending  mode,  i.e.  if  A,  >A .  then 
/'</,  and  A,  is  the  maximal  SV. 

SVD  possesses  several  interesting  properties  ([Horn  et  al\;  two  of  them  are  utilized  below  to 
achieve  invisible  and  robust  hiding  of  extra  data  in  digital  images. 

The  first  property  is  that  each  SV  specifies  the  luminance  (energy)  of  the  SVD  image  layer, 
whereas  the  respective  pair  of  singular  vectors  specifies  an  image  "geometry".  It  was  discovered 
that  slight  variations  of  SVs  do  not  affect  visual  perception  of  the  quality  of  the  cover  image.  This 
property  is  used  to  embed  a  bit  of  data  through  slight  modifications  of  SVs  of  a  small  block  of  a 
segmented  cover. 
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The  second  property  is  that  without  the  loss  of  image  quality  an  image  could  be  represented 
by  so-called  Truncated  SVD  (TSVD),  i.e.  by  the  sum 


A.=If'M,Y,T  ■*«'■ 


m 


instead  of  sum  (1)  ([Gorodetski3  et  <r//-00]).  In  other  words,  a  TSVD  of  an  image  can  be  used  for  its 
compressed  representation.  SVD-based  image  compression  was  proposed  in  [Andrews  et  a/-76]. 
Later  a  number  of  approaches  that  combine  SVD  image  transform  with  other  transforms  was 
developed.  However,  the  major  attention  was  paid  to  the  development  of  a  lossy  less  SVD  image 
compression  and  its  combinations  with  other  transforms.  For  example,  to  code  images,  in  [Yang  et 
cil- 95]  SVD  transform  is  combined  with  Vector  Quantization  approach,  in  [Waldemar  et  cil-91\  a 
combination  of  SVD  and  Karhunen-Loeve  transform  is  used  to  develop  a  hybrid  compression.  In 
[Fukutomi  et  cil- 99]  SVD  transform  is  combined  with  wavelet  transform.  In  [Gorodetski3  et  a  I -00] 
a  format  for  SVD-based  lossy  compression  of  digital  images  was  proposed.  This  format  provides 
the  rate  of  compression  close  to  2  bit/pixel  while  preserving  the  appropriate  quality  of  the  restored 
image.  This  format  is  used  to  solve  the  task  of  robust  embedding  a  digital  image  into  a  cover  one. 


2.3.  SVD-based  Techniques  for  Hiding  Data  into  Digital  Images 

The  following  are  the  techniques  that  were  developed  to  utilize  the  first  of  the  two 
aforementioned  properties  of  SVD  image  representation. 

2.3.1.  Technique  1 

In  brief,  the  first  proposed  technique  is  as  follows.  A  cover  image  represented  in  24  bpp 
(RGB  )  format  is  segmented  into  blocks  of  size  sxv1  and  SVDs  for  each  such  a  block  and  for  each 
matrix  of  Red,  Green  and  Blue  layers  are  computed.  Each  block  of  every  color  layer  is  used  to 
embed  a  bit  of  data.  In  the  Technique  1,  a  bit  of  data  is  embedded  through  a  slight  modification  of 
the  largest  singular  value  of  the  block.  The  implemented  and  explored  algorithm  of  modification  is 
described  below. 

Let  B(k,l)  be  a  block,  where  k  is  the  block  number  and  le{Red,  Green,  Blue}.  Let  the  largest 
S V  of  the  block  B(k,I)  of  size  sxs  be  A,  .  Let  b  be  a  bit  of  data  to  be  embedded  into  this  block.  The 
embedding  algorithm  is  as  follows: 

For  each  pair  (k,  l) 

1 .  Choose  the  quantization  step,  d,  of  the  largest  singular  value  of  the  block.  The  value  d  may  be 

different  depending  on  the  layer  of  color.2 

2.  Compute  integer  number  S  such  that  A,  (l)=Sxd+  5  ,  5  <S. 

3.  Embed  bit  b  of  data  as  follows: 

If  S  is  the  odd  number  then 

ifb=l  then  S  is  not  changed 
else 

ifb=0  then  S:=S+  /. 

If  S  is  the  even  number  then 
ifb-1,  then  S:=S+1,  else 
ifb=0,  then  S  is  not  changed. 


1  The  developed  software  implements  a  particular  case  of  this  technique  when  s=4,  generally,  this  number  could  be 
extended.  Note  that  an  increase  of  k  value  results  in  the  increased  robustness  of  the  technique  and  in  the  decreased 
volume  of  transparently  embedded  data. 

2  The  value  of  d  is  selected  on  the  basis  of  statistical  exploration  of  correlation  between  distortion  caused  by  JREG 
compression  of  various  percentages  and  the  probability  of  a  bit  recovery.  This  exploration  must  be  made  for  each 
color.  The  respective  results  are  given  below  in  this  section. 
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Fig.  2.1.  The  plots  of  dependencies  between  the  step  of  quantization  d  of  the  largest  singular  value  of  a 
cover  image  and  survivability  of  the  embedded  image  after  JPEG  compression  for  red  (left),  green 
(center)  and  blue  (right)  color  layers  of  the  cover  image.  These  results  correspond  to  the  case  when 
cover  image  is  segmented  into  blocks  of  size  4x4 

4.  Compute  the  modified  singular  value  Af  (I): 

If  (l)=dxS+d/2. 

5.  Compute  the  matrix  of  the  block  having  modified  largest  singular  value: 

B(k,  l)  =  l\  (/)Xj  (l)Ytr  (/)  +  £"=2  X.  (/)*,.  (/)7,r  (/) 

6.  Result:  Matrix  B(k,l )  containing  embedded  bit  of  data. 

The  major  implementation  concern  of  the  above  algorithm  is  how  to  choose  the  quantization 
step  d.  It  is  obvious  that  the  increase  of  the  value  d  leads  both  to  more  robust  data  hiding  and  to  less 
transparency  of  the  embedded  data.  To  explore  this  dependency  quantitatively,  the  respective 
simulation  was  performed  for  several  cover  images  segmented  into  blocks  of  size  4x4  pixels  and 
several  images  to  be  embedded.  The  latter  were  segmented  into  small  blocks  of  size  8x8  and  then 
compressed  using  TSVD  proposed  in  [Gorodetski3  et  a/-00]  and  mentioned  in  Section  2.  The 
results  are  given  in  Fig.2.1a  (for  Red  layer),  Fig.2.1.b  (for  Green  layer)  and  Fig.2.1.c  (for  Blue 
layer).  The  plots  illustrate  the  correlation  between  the  percentage  of  JPEG  compression  and 
percentage  of  the  correctly  recovered  blocks  of  the  embedded  image.  Based  on  this  result  the 
following  values  of  quantization  steps  within  the  Red,  Green  and  Blue  layers  were  chosen:1 

d(red)=46,  d(green)=22  and  d(blue)-52. 

It  should  be  noticed  that  the  quantization  step  value  d  might  be  used  as  a  component  of  the 
secret  key  providing  the  restricted  access  to  the  hidden  information. 

The  simulation  indicated  that  this  way  of  embedding  data  into  a  cover  image  is  robust 
against  100%  JPEG  compression. 

The  hidden  data  extraction  procedure  is  very  simple.  Let  B(k,l)  be  a  block  with  an 
embedded  bit  of  data. 

For  each  pair  (k,  1)  do 

1.  Compute  the  largest  singular  value  Af  (l). 

2.  Compute  Af  (l)/d-S+d/2. 

3.  If  5  is  even  number  then  the  embedded  bit  value  is  0  otherwise  it  is  7. 


1  Note  that  the  appropriate  choice  is  specific  for  every  way  of  cover  images  segmentation. 
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Fig.2.2.a.  Cover  image.  It  is  presented  in  RGB  format  and 
is  of  size  600x512  pixels 


Fig.2.2.c.  Recovered  hidden  image.  The 

stego-image  was  subjected  to  JPEG 
compression 


Fig.2.2.b.  Image  to  be  transmitted.  It  is  gray 
and  is  of  size  240x120 


Fig.  2.2.  An  example  of  the  use  of  the  Technique  1  for  embedding  image  into  cover  one 

This  approach  to  data  embedding  provides  a  sufficiently  high  rate  of  the  embedded  data 
although  its  bit  rate  is  less  than  the  one  provided  by  LSBs  techniques.  For  example,  let  cover  image 
be  of  size  600x512  (see  Fig.2.2.a)  and  s=4.  It  comprises  150x128  blocks  of  size  4x4  in  each  color. 
Therefore  this  technique  makes  it  possible  to  embed  up  to  57600  bits.  The  picture  to  be  embedded 
(see  Fig.2.2.b)  is  of  size  240x120  and  segmented  into  200  blocks  of  size  12x12.  Due  to  TSVD 
compression  (see  Section  2.2),  each  such  block  is  represented  into  blocks  of  12x12  using 
segmentation.  Its  length  is  288  bits,  that  is  why  the  total  size  of  the  image  of  Fig.2b  in  TSVD 
format  is  equal  to  56000  bits.  Hence,  it  is  possible  to  embed  it  into  image  depicted  in  Fig.2.2.a. 

This  technique  was  subjected  to  several  experimental  studies.  An  example  of  such  a  study  is 
given  in  Fig.2.2.  The  cover  image  (Fig.2.2a)  containing  embedded  image  (Fig.2.2b)  was  distorted 
by  JPEG  compression  and  then  transformed  back  in  BMP  format.  The  hidden  image  extracted  from 
the  JPEG  distorted  stego-image  is  depicted  in  Fig.2.2.c.  One  can  see  that  the  quality  of  the 
reconstructed  image  is  not  excellent  but  is  very  satisfactory.  Notice  that  the  bit  rate  of  the  TSVD 
image  to  be  embedded  can  be  increased  using  a  Haffman-like  compression  of  the  TSVD  files  for 
each  block. 

Embedding  and  recovery  procedures  could  be  equipped  with  a  secret  key  to  seed  blocks  thus 
providing  additional  level  of  security.  To  improve  the  survivability  of  the  hidden  data  during 
transmission  it  is  possible  to  transmit  the  same  image  several  times  using  various  covers.  It  should 
be  noticed  that  if  the  image  to  be  hidden  is  of  very  large  size  then  its  transmission  could  be 
implemented  using  several  cover  images. 

2.3.2.  Technique  2 

This  technique  uses  a  different  approach  to  embed  data  into  a  cover  image.  Notice  that  the 
type  of  embedded  binary  file  is  irrelevant.  A  bit  of  information  is  embedded  into  a  block  of  the 
segmented  cover  image.  The  block  size  could  be  chosen  arbitrarily. 

Let  cover  image  be  represented  in  a  24  bit  (RGB)  format.  Data  can  be  embedded 
independently  into  each  RGB  layer  of  the  cover  image  or,  optionally,  in  specified  layer(s).  Let  the 
size  of  blocks  of  the  cover  image  segmentation  be  mxk  pixels,  A  be  the  matrix  of  a  block  of  the 
covers  corresponding  to  a  color  layer  from  Red,  Green  or  Blue.  Let  a  bit  b  to  be  embedded  into 
block  A  of  a  layer. 

The  algorithm  of  the  embedding  procedure  is  as  follows: 
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1 .  Compute  singular  value  decomposition  of  matrix  A.  Let  V  A  =[  A,  ,  A2 A(.  ]  be  the  vector  of 
singular  values  of  matrix  A  ordered  in  decreasing  mode,  Xj  and  K  are  singular  vectors  of 
matrix  A  and  i=l,2,...,r,  where  r  is  the  rank  of  matrix  A. 

2.  Compute  Euclidean  norm  of  vector  V  ,  Norm(  Vl)-f  /  ,  (u,'  )  ,  where  v,  ,  i=l,2,...,r, 

are  the  components  of  vector  V  A . 

3.  Select  the  value  of  Delta  that  is  the  step  of  quantization  of  the  Euclidean  norm  of  vector  V 1 . 

Remark  1.  The  appropriate  value  of  Delta  depends  on  the  color  layer  used  for  embedding  a  bit  of  data 
and  has  been  chosen  for  each  layer  through  simulation.  Notice  that  the  value  of  Delta  can  play  the  role 
of  a  component  of  the  secret  key  restricting  access  to  the  hidden  data.  One  more  way  to  increase  the 
secrcy  is  to  use  an  uneven  quantization  of  Norm(  V 1 ). 

4.  Compute  the  integer  N=[Norm(V 1  )/Delta],  where  [*]  is  the  integer  part  of  the  quotient  of 
division. 

5.  Embed  bit  b  according  to  the  following  algorithm: 

Ifb=l  then 

{if  N  is  odd  then  N  =N+1  else  N  =Nj 

else  (if  b=0) 

{if  N  is  even  then  N  =N  else  N  =N+1}} 


6.  Compute  the  modified  norm  of  the  vector  of  the  singular  values: 

Norm(  V 1  )=  N  xDelta+(Delta/2 ). 

7.  Compute  the  modified  vector  of  the  singular  values: 

V 1  =  V  x  x(Norm(  V  A  )/Norm(  V 1 )). 

8.  Compute  the  modified  matrix  of  the  block  in  which  bit  b  is  embedded: 


A  =  Vr  ltXYj . 

L^i=\  1  '  ' 


9.  End  of  the  embedding  procedure. 


-Red  40 
-Red  48 
-Red  32 
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-Blue  40 
-Blue  48 
-Blue  32 


Fig.  2.3.  Dependencies  between  degree  of  JPEG  compression  (horizontal)  and  probability  of  the  watermark 
presence  (vertical)  for  various  value  Delta.  (Averaged  over  a  set  of  images) 


The  described  algorithms  must  be  applied  to  each  block  of  the  covers  in  which  a  bit  of  data 
is  to  be  embedded. 


33 


The  embedding  procedure  may  provide  restricted  access  to  the  hidden  data  via  using  seeding 
of  the  binary  string  to  be  embedded  in  pseudo  random  mode  or  via  transpositions  of  the  lines  and 
columns  [Gorodetski3  et  a/-00]. 

The  extraction  task  is  simpler  then  the  embedding.  Let  A  be  the  matrix  of  block  containing 
hidden  bit  b  of  data,  which  must  be  extracted. 

1 .  Compute  the  singular  value  decomposition  of  block  A .  Let  V  '  be  vector  of  singular  values 
ordered  in  decreasing  fashion,  X/  and  Yt  are  singular  vectors  of  matrix  A  and  i=l,2,...,r, 

where  r  is  the  rank  of  matrix  A . 

Remark  2.  SVs  and  singular  vectors  of  the  same  block  A  of  the  modified  cover  image  can  be 
additionally  modified  during  transmission  or  changed  intentionally.  For  simplicity,  we  denote  them  in 
the  same  way  as  they  were  denoted  in  the  embedding  procedure. 

2.  Compute  the  Euclidean  norm  of  vector  V  ,  i.e.  Norm  V  =  J  (v,.  )  . 

3.  Compute  N  =/ Norm  V  x  /Delta],  where  [*]  is  the  integer  part  of  the  quotient  of  division. 

4.  Compute  the  value  of  the  hidden  bit  b\ 

(If  N  is  even  then  b=l  else  b=0] 

5.  End  of  extraction  procedure. 

The  described  embedding  (extraction)  algorithm  must  be  applied  to  each  block  of  the  covers 
(stego-image),  in  which  a  bit  of  data  is  embedded.  The  extracting  procedure  may  require  the 
knowledge  of  the  secret  key  if  it  has  been  applied  in  embedding. 

This  technique  was  investigated  statistically  from  several  points  of  view.  The  first  task  was 
to  explore  the  optimality  of  Delta  values  in  the  trade-off  between  the  robustness  of  the  hidden  data 
and  its  visibility.  It  was  established  that  the  appropriate  value  of  Delta  depends  on  the  color  layer. 
In  fig.  3  the  results  of  the  simulation-based  investigation  of  the  aforementioned  dependencies  are 
given.  One  can  see  that  optimal  choices  of  the  of  Delta  given  color  layer  are  close  to  the 
followings: 

Delta(Red)= 40,  Delta{Green)- 24,  Delta  (Blue)= 48. 

Given  such  values  of  Delta,  Technique  2  proves  robustness  to  JPEG  compression  up  to 
degree  40%  provided  that  the  value  of  the  watermark  presence  probability  is  (0.7-0. 8). 

The  special  attention  was  paid  to  study  the  relationship  between  the  degree  of  JPEG, 
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Degree  of  JPEG  compression 

Redundancy  of  embedded  watermark  :  — 1  -«-3  6 


Fig.  2.4.  Dependency  between  Degree  of  JPEG  compression  (horizontal  axis)  and  Probability  of  the 
watermark  presence  for  various  degrees  of  redundancy 
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compression  redundancy  of  the  embedded  watermark  and  the  probability  of  the  watermark 
presence.  In  this  study  redundancy  is  understood  as  the  number  of  embedded  copies  of  the 
watermark.  The  results  are  displayed  in  Fig.2.4.  One  can  see  that  the  redundancy  presents  an 
additional  way  to  increase  the  robustness  of  Technique  2. 

In  fig.  2. 5  an  example  of  using  Technique  2  for  embedding  emf-file  into  a  digital  image  is 
given.  Left-hand  image  (fig.5a)  corresponds  to  the  cover  image  (in  gray  scale)  with  the  embedded 
emf-file.  The  right-hand  image  depicts  the  cover  image  with  extracted  data  that  indicates,  for 
example,  to  a  pilot  the  route  to  follow  that  was  hidden  into  transmitted  image. 

2.4.  Conclusion  of  the  Chapter  2 

This  Chapter  presents  the  main  final  result  of  the  steganography-oriented  research  on  the 
Project.  It  is  a  novel  approach  to  digital  image  steganography  and  two  particular  techniques 
implementing  this  approach.  Both  techniques  utilize  the  concept  of  embedding  data  through  slight 
modifications  of  singular  values  of  small  blocks  of  the  cover  image. 

The  techniques,  implemented  in  software,  are  subjected  to  statistical  analysis  of  their 
robustness  and  the  allowable  rate  of  covertly  embedded  data.  In  particular,  it  is  shown  the 
developed  approach  for  data  hiding  is  robust  to  JPEG  compression  up  to  40%.  It  is  blind,  i.e.  the 
hidden  data  can  be  extracted  without  possessing  the  original  cover  image.  Embedding  and  recovery 
procedures  can  be  equipped  with  a  password  and  secret  key  to  seed  blocks  thus  providing  restricted 
assesses  to  the  hidden  data.  There  exist  several  additional  attributes  resulting  in  additional  security 
assurance. 


Fig.2.5.a.  Cover  image  containing  invisibly  Fig.2.5.b.  Extracted  route  drawn  over  the  cover 

embedded  emf-file  representing  an  image 

aircraft  route 


Fig.  2.5.  An  example  of  the  use  of  the  Technique  2  to  hide  route  of  an  aircraft  into  the  map.  The  hidden  data 
are  represented  in  emf  graphical  format. 

The  analyses  indicate  that  the  developed  techniques  are  suitable  for  hidden  communication 
that  calls  for  high  rate  and  appropriate  survivability  of  the  embedded  data,  and  invisibility  of  the 
hidden  image,  and  for  watermarking  where  the  main  requirement  is  robustness  to  common  and 
some  intentional  distortions. 

The  approach  is  demonstrated  by  several  examples  of  practical  applications. 
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3.  General  Conclusion  on  the  Project 

According  to  the  Project  Work  Plan  the  main  tasks  that  the  Project  was  addressing  to  are 
as  follows: 

1)  Development  of  the  architecture  of  the  agent-based  information  security  system  on 
the  whole  and  architectures  of  particular  agents;  development  of  the  ontology  of 
information  security  domain  to  design  and  to  decompose  distributed  knowledge  base 
structure. 

2)  Development  of  a  formal  framework  for  representation  of  the  agents'  distributed 
knowledge. 

3)  Development  of  the  procedure  of  the  agents'  cooperation  for  integrated  information 
security  task  solving. 

4)  Development  and  mathematical  justification  of  the  new  methods  of  image -based 
information  hiding  (image -based  steganography)  to  provide  safe  channels  of 
information  exchange. 

All  aforementioned  tasks  were  solved  and  the  results  were  submitted  to  the  Partner  in  three 
Interim  and  two  Final  reports.  The  results  of  the  research  were  published  in  proceedings  of  seven 
international  conferences  and  workshops  with  reviewed  articles.  Two  papers  have  been  accepted 
already  to  the  forthcoming  international  workshop  on  computer  network  security. 

This  Report  presents  the  final  results  of  the  research.  The  Project  objectives  include  two  in 
some  sense  independent  tasks.  One  of  them  concerns  to  the  multi-agent  model  and  software 
prototype  of  the  computer  network  security  system  and  the  other  one  concerns  to  the  digital  image 
steganography.  Accordingly,  this  Final  Report  comprises  two  chapters.  Each  of  them  is  devoted  to 
the  brief  outline  of  the  respective  results  submitted  in  previous  reports  and  to  the  description  of  the 
new  results  that  were  achieved  during  the  final  phase  of  the  research.  In  both  Chapters  we 
accentuate  the  software  developed  for  verification  and  validation  of  the  theoretical  results,  i.e.  for 
verification  and  validation  of  the  developed  approaches,  methods,  architectures,  techniques  and 
algorithms  associated  with  the  Project  tasks. 

The  Chapter  1  considers  the  developed  Case  Study  of  the  network  security  system  that  is  a 
software  implementation  of  the  multi-agent  security  system.  The  Case  Study  is  composed  of 
particular  autonomous  knowledge-based  agents,  distributed  over  the  hosts  of  the  computer  network 
to  be  protected  and  cooperating  to  make  integrated  consistent  decisions.  The  Chapter  1  describes  the 
architecture  of  the  security  system  Case  Study  and  architectures  of  its  components  that  are 
particular  software  agents,  communication  components  and  software  that  is  intended  to  simulate  the 
input  traffic.  The  Case  Study  architecture  corresponds  to  the  multi-agent  system  protecting  a 
segment  of  a  Local  Area  Network  comprising  four  hosts  to  be  protected.  Each  host-based 
component  of  the  network  security  system  comprises  seven  specialized  software  agents  situated  on 
the  host.  In  total,  the  Case  Study  comp[rises  28  distributed  over  the  network  interacting  software 
agents. 

Simulation  of  the  Case  Study  displayed  a  number  of  advantages  of  multi-agent  architecture 
for  protection  of  a  computer  network  against  distributed  attacks.  The  most  significant  of  them  is  a 
capability  of  the  comparatively  "light"  components  of  a  multi-agent  security  system  to  cooperate  to 
solve  a  "heavy"  task.  At  present  the  only  way  to  detect  efficiently  a  distributed  attack  against  a 
computer  network  is  a  cooperation  of  security  software  entities  (agents)  distributed  over  the  hosts 
of  the  network  and  within  each  host  itself.  A  sample  of  usefulness  of  agent  cooperation  can  be  seen 
within  the  described  example.  In  particular,  detection  of  a  combined  spoofing  attack  has  become 
possible  only  due  to  cooperation  of  the  software  agents  situated  on  different  hosts.  One  more 
example  of  the  necessity  and  usefulness  of  the  cooperation  of  security  agents  is  operation  of  the 
knowledge-based  agent  named  IDA2.  It  is  intended  to  collect  information  about  suspicious 
behavior  of  users  at  many  entry  points  of  the  native  host  and  exchange  information  with  similar 
agents  of  the  other  hosts  to  make  integral  decision  about  status  of  connections.  In  the  developed 
case  study  this  agent  has  been  provided  by  a  comparatively  poor  knowledge  base  and  can  not  play 
a  significant  role  in  intrusion  detection.  In  the  further  development  of  the  case  study  a  significant 
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accent  must  be  made  on  enrichment  of  its  knowledge  base  and  on  the  increasing  its  role  in 
distributed  attack  detection. 

This  Case  Study  is  implemented  as  distributed  multi-agent  system,  which  components 
interact  via  message  exchange.  Simulation  scenario,  input  traffic  model  and  peculiarities  of  the 
distributed  security  system  operation  are  described.  The  major  attention  is  paid  to  the  intrusion 
detection  task  and  agents'  interactions  during  detection  of  an  attack  against  the  computer  network. 
Case  Study  implementation  was  carried  out  on  the  basis  of  the  Multi-agent  System  Development 
Kit  developed  by  authors  of  the  research..  The  software  code  is  developed  using  Visual  C++,  JAVA 
2  and  XML. 

The  Chapter  2  outlines  concisely  the  main  steganography  oriented  results  of  the  Project. 
These  results  are  twofold.  The  first  result  is  the  development  of  a  new  approach  to  transparent 
embedding  data  into  digital  images.  This  approach  is  capable  to  provide  a  tradeoff  between  high 
rate  of  the  embedded  data  and  robustness  to  common  and  some  intentional  distortions,  in  particular, 
to  JPEG  compression.  The  developed  technique  makes  use  the  properties  of  the  singular  value 
decomposition  (SVD)  of  a  digital  image.  According  to  these  properties  each  singular  value  specifies 
the  luminance  of  the  SVD  image  layer,  whereas  the  respective  pair  of  singular  vectors  specifies 
image  geometry.  Therefore  slight  variations  of  singular  values  cannot  influence  visibly  on  the  cover 
image  quality.  The  idea  of  the  proposed  approach  is  to  embed  a  bit  of  data  through  slight 
modifications  of  singular  values  of  a  small  block  of  the  segmented  covers.  The  approach  is  robust 
because  it  supposes  to  embed  extra  data  into  low  bands  of  covers  in  a  distributed  way.  The  size  of 
small  blocks  is  used  as  an  attribute  to  achieve  a  tradeoff  between  the  embedded  data  rate  and 
robustness  as  required  by  the  application.  An  advantage  of  the  approach  is  that  it  is  blind. 
Simulation  has  proved  its  robustness  to  JPEG  compression  up  to  40%.  The  approach  can  be  used 
both  for  hidden  communication  and  watermarking. 

The  second  result  is  the  development  of  the  format  for  compressed  representation  of  digital 
images  to  be  embedded  into  cover  one.  The  idea  of  compression  is  based  on  using  SVD  of  image 
color  matrices.  SVD  makes  it  possible  to  represent  an  image  as  a  partial  sum  of  the  most 
significant  layers  corresponding  to  the  largest  singular  values.  This  idea  is  applied  to  each  small 
block  of  the  segmented  image.  The  developed  format  is  capable  to  provide  compression  up  to  2 
bit/pixel.  Combined  with  the  developed  technique  for  hiding  data  in  digital  images,  it  makes 
possible  robust  embedding  digital  image  into  a  cover  one. 

All  theoretical  results  of  the  Project  are  validated  using  thorough  simulation  on  the  basis  of 
the  developed  software.  The  developed  software  will  be  demonstrated  and  submitted  to  the  Partner. 
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Appendix  Al.  Case  Study  Model 

Al.l.  Structure  of  the  basic  concepts  of  the  case  study 

One  of  the  main  concepts  of  the  case  study  is  the  concept  of  "current  connection".  This 
concept  is  for  formation  in  CNSS  of  the  generalized  representation  of  the  input  messages  (packets) 
sequence  of  one  connection,  and  also  for  reflection  of  a  current  status  of  connection  on  the  basis  of 
processing  of  the  messages,  which  has  arrived  to  a  current  moment.  This  concept  is  a  base  for 
determination  of  the  CNSS  performance  scheme.  The  CNSS  performance  process  can  be 
represented  as  the  distributed  processing  of  examples  of  this  concept  by  various  classes  of  the 
security  agents  according  to  their  specialization. 

When  the  first  message,  intended  for  a  new  connection  activating,  arrives  on  a  host  the  agent 
AD-E  of  this  host  forms  the  description  of  the  connection  as  an  example  of  this  concept.  The 
attribute  values  of  this  example  can  vary  dynamically  as  a  result  of  the  subsequent  messages 
processing  within  the  current  connection.  As  the  process  of  connections  processing  in  a  multiagent 
system  is  distributed,  the  different  agents  can  have  information  on  the  same  connection 
simultaneously.  This  information  processing  is  coordinated  according  to  the  set  scheme  of  agents' 
interaction.  At  connection  completion  an  appropriate  example  of  concept  "the  current  connection" 
is  transferred  in  the  completed  connections  archive. 

The  list  of  attributes  used  in  the  model  of  concept  "current  connection",  which  is  operated 
with  the  security  agents  of  a  host,  is  presented  in  the  table  A. 1. 


Table  A. 1. 

The  list  of  attributes  used  in  model  of  concept  "current  connection" 


ID 

U  nique  identifier  of  an  example  of  the  concept  “current  connection" 

IP  address 

IP-address  of  a  host  establishing  the  connection 

Port  destination 

Number  of  a  port,  with  which  the  connection  is  installed 

Flag 

Connection  status 

Last  sqn no 

Sequence  number  of  the  last  obtained  tcp-packet 

Access 

Access  rights 

Time  on 

Time  of  the  connection  beginning 

Time  last  tcp 

Time  of  arrival  of  the  last  message  obtained  in  connection 

Time  life 

Lifetime  of  the  connection  in  a  "current  status" 

Fact 

Fact  of  suspicious  action,  detected  in  connection 

Data 

Contents  of  a  field  “Data"  of  the  last  tcp-packet  obtained  in  connection 

N 

Reserve  numerical  field 

The  value  of  a  field  ID  is  an  unambiguous  identifier  of  the  example  of  concept  "current 
connection". 

The  values  of  attributes  IP  address,  Port  destination  and  Time  on  are  assigned  on  the  basis  of 
parameters  of  the  first  tcp-message  in  connection  and  do  not  vary. 

The  field  Flag  identifies  a  current  status  of  the  connection.  The  list  of  possible  statuses  of  the 
connection  is  defined  on  the  scheme  of  transitions  of  the  current  connection  statuses  (Fig.A.l).  The 
main  states  of  the  connection  are  the  following: 

•  HOC  (H alf  Open  Connection)  -  status  originating  after  the  first  phase  of  "hand  shake", 

•  Set  connection  -  status  originating  after  the  third  phase  of  "hand  shake", 

•  Login  -  status  originating  after  identification  and  authentication  of  the  user, 

•  Closed  -  completed  connection  (a  transition  in  this  status  is  carried  out  after  generation  of  the 
TCP-message  with  a  flag  Fin  or  on  time). 
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F  ig.A  .1.  Scheme  of  transitions  of  the  current  connection  statuses 

The  variation  of  the  enumerated  statuses  of  the  connection  happens  as  a  result  of  arrival  of 
the  new  messages. 

Besides  the  statuses  of  the  connection  can  vary  automatically  after  defined  time  intervals. 
Thus  the  following  classes  of  the  connection  statuses  are  selected: 

•  BC  (Bad  connection)  -the  status,  in  which  the  connection  transfers  from  a  status  HOC  after 
a  time  interval  Ack_wait_time, 

•  BC  closed  -  the  status,  in  which  the  connection  transfers  from  a  status  BC  after  a  time 
interval  Bad_connection_tife, 

•  BSC  (Bad  set  connection)  -  the  status,  in  which  the  connection  transfers  from  a  status  Set 
connection  after  a  time  interval  Set_connection_life. 

The  time  intervals  of  the  connection  existence  under  absence  of  the  new  messages  are  determined 
by  means  of  values  of  attribute  Time  life.  The  instant  defined  by  attribute  Time  of  last  tcp  is  used 
for  time  intervals  counting.  Besides  the  enumerated  classes  of  the  connection  statuses  defined  as  a 
result  of  the  messages  obtaining  or  on  time,  one  more  intermediate  status  causing  suspicions  is 
identified: 

•  Closed  set  connection  -  status  originating  after  obtaining  of  the  message  with  a  flag  Fin, 
when  the  connection  is  in  a  status  Set  connection. 

The  value  of  attribute  Last  sqn_no  is  updated  at  arrival  of  the  new  message.  This  attribute 
value  is  a  formal  tag  for  determination  of  the  following  message  in  connection. 

The  value  of  attribute  Access  sets  within  the  connection  access  rights,  which  are  determined 
during  identification  and  authentication  of  the  user. 

If  during  the  connection  an  action  suspicious  from  a  security  view  point  is  found  out,  this 
fact  is  fixed  with  usage  of  the  attribute  Fact  value.  If  in  the  connection  some  facts  of  suspicious 
actions  were  detected,  then  a  name  of  the  last  detected  action  class  corresponds  to  this  attribute. 
Thus  there  is  no  "loss"  of  the  facts  detected  earlier,  as  the  connections  with  the  detected  separate 
suspicious  facts  are  recorded  in  the  database  of  the  agent  IDA2.  Thus,  if  during  the  connection 
some  facts  of  suspicious  actions  are  detected,  all  of  them  are  recorded  in  the  agent  IDA2  database. 

In  a  field  Data  the  data  string  from  the  same  field  of  the  last  obtained  message  is  stored. 

Thus,  the  concept  "current  connection"  is  a  basic  concept  for  organization  of  the  agents' 
interaction  in  CNSS  and  for  generation  of  the  contents  of  the  transmitted  messages.  On  the  basis  of 
this  concept  the  number  of  additional  concepts  for  detection  of  the  attack  classes  "Denial  of 


43 


service"  and  "port  scanning"  is  implemented.  The  agents  AD-PI  use  these  concepts,  therefore  the 
determination  of  the  concepts  is  considered  at  the  description  of  the  scripts  of  this  class  agent 
behavior. 


A1.2.  Scripts  of  the  agents'  behavior 


In  this  subsection  the  behavior  scripts  of  the fol low i ng  agents'  classes  is  determined: 

•  AD-E  -  agents  -  demons  of  preprocessing  of  the  input  tcp-messages, 

•  AD-PI  -  agents  -  demons  of  pattern  detection  in  connection  till  the  moment  of  the  users' 
authentication  and  identification, 

•  AD-P2  -  agents  -  demons  of  pattern  detection  in  connection  after  the  moment  of  the  users' 
authentication  and  identification, 

•  AIA  -  identification  and  authentication  agents, 

•  ACA  -  access  control  agents, 

•  IDA1  -  intrusion  detection  agents  revealing  a  combined  spoofing  attack  class, 

•  IDA2  -  intrusion  detection  agents  revealing  the  complex  attacks  scripts. 

The  description  of  the  all  classes  agents'  behavior  is  fulfilled  under  the  following  scheme. 

At  first  a  diagram  is  represented  which  determines  (1)  agents'  classes  with  which  the  agent 
of  the  circumscribed  class  cooperate,  (2)  content  of  the  input  and  output  messages  as  concept 
classes,  (3)  enumeration  of  the  agents'  behavior  scripts  defined  by  the  meta-rules.  If  for  the  agents' 
class  the  more  than  one  behavior  script  is  determined,  then 
a  common  meta-script  of  the  agent's  behavior  is  also 
defined.  This  meta-script  is  responsible  for  choice  of  the 
necessary  agent's  behavior  script  depending  on  the  class 
and  content  of  the  input  message. 

Then  a  more  detailed  description  of  each  behavior 
script  is  defined.  The  input  of  the  scripts  is  fulfilled  by 
means  of  the  special  editor  that  is  a  M  A  SDK  component. 

The  user  interface  of  this  editor  consists  of  several 
windows.  The  main  window  of  the  editor  maps  a  general 
behavior  script  as  a  decision  tree.  The  auxiliary  windows 
map  a  detailed  representation  of  separate  rules  of  a 
decision  tree.  Further  in  the  appendix  text  a  common 
definition  of  the  agents'  behavior  scripts  is  given. 

The  Fig.A.2  (where  MR  -  meta-rule)  allows  to 
restore  a  correspondence  between  the  earlier 


circumscribed  general  representation  of  the  behavior 
scripts  (subsection  1.4)  and  that  representation  which  is 
used  in  the  main  window  of  the  editor. 


Fig.A.2.  The  representation  of  the  agent 
AD-E  behavior  script  (Script  "A") 


Al.2.1.  Scripts  of  the  agent  AD-E  operation 

The  main  task  of  an  agent-demon  is  the  preprocessing  of  the  input  tcp-messages  arriving 
from  Input  Traffic  Model  (Fig.A.3).  The  preprocessing  of  such  messages  is  fulfilled  using  data 
about  the  current  connection,  to  which  the  input  message  concerns.  Besides  this  messages  the 
marks  of  model  time  and  the  facts  concerning  to  current  connections  in  a  format  of  the  current 
connection  description  can  arrive  on  an  input  of  the  agent.  The  agent's  behavior  script  is  selected 
depending  on  the  contents  of  the  arrived  message  on  the  basis  of  preset  behavior  model:  the  script 
A  is  selected  for  processing  the  tcp-messages,  the  script  B  -  for  processing  the  time  stamps  time,  the 
script  C  -  for  processing  the  facts  concerning  to  current  connections. 
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Input  traffic 
model  - ► 

C  ontents  of 

the  input 

IDA-1  - ► 

messages 

•  Tcp 

•  Time 

AIA  - ► 

•  Cnc 

Fig.A.3.  Common  scheme  of  the  agent  AD-E  operation 


Script  A.  C  ommon  scheme  of  preprocessing  of  the  obtained  tcp-messages 


Fig.A4.Rulesoftheinputtcp-messagespreprocessing 


Fig.A.4  represents  four  generalized  rules  of  the  agents'  class  AD-E  behavior  (see  upper 
window). 

A.l.  The  rule  determines  that  the  input  tcp-message  with  a  flag  Syn  is  obtained,  this  message 
corresponds  to  a  new  connection  establishment  (the  generalized  condition  of  this  rule  is  shown  in 
Fig.A.4,  line  1  in  the  upper  window).  According  to  this  rule  two  decision  variants  are  realized 
depending  on  various  conditions. 

A. 1.1.  The  input  tcp-message  with  a  flag  Syn  is  obtained,  this  message  corresponds  to  a  new 
connection  establishment  from  the  part  of  some  host  H,  concerning  to  a  defended  network 
(generalized  condition  and  action  of  this  rule  are  shown  in  Fig.A.4,  line  2  in  the  upper  window). 
The  agent  -  demon  has  information  that  the  attack  "Denial  of  service"  is  accomplished  on  the 
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host  H.  The  record  in  the  form  "current  connection"  in  this  agent's  database  (see  table  A. 2) 
testifies  this  fact.  This  record  was  registered  in  an  agent's  database  during  execution  of  the 
behaviour  rule  C.l  of  the  same  agent  (see  below).  As  a  result  of  the  obtained  message 
processing  a  modification  of  the  available  record  about  current  connection  is  fulfilled  (see  table 
A. 2),  and  this  information  is  addressed  to  the  agent  I  DAI  on  the  same  host. 

TableA.2. 


Initial  record 

M  odifi cation  of  the  record  attributes 

ID 

- 

Current  N  +1 

IP  address 

Tcp  ( Client.address ) 

= 

Port  destination 

- 

Tcp  (  Server. port) 

Flag 

- 

HOC 

Last  sqn_no 

- 

Tcp ( sqn_no  ) 

Access 

- 

- 

Time  on 

- 

Tcp  ( time) 

Time  last  tcp 

- 

Tcp  ( time) 

Time  life 

- 

Ack_wait_time 

Fact 

Denial  of  service 

Connect  imitation 

Data 

- 

- 

Designations:  -  -  the  value  is  not  defined,  =  -  a  former  value. 


A. 1.2.  The  obtained  input  tcp-message  with  a  flag  Syn  corresponds  to  a  new  connection 
establishment  (see  Fig.A.4,  line  3  in  the  upper  window).  The  registration  record  of  a  new 
connection  (table  A. 3)  is  generated  in  the  agent's  database  in  a  format  of  the  concept  "Current 
connection",  and  this  information  is  transferred  to  the  agent  AD -PI. 


TableA.3. 


ID 

Current  N  +1 

IP  address 

Tcp  ( Client.address) 

Port  destination 

Tcp  (  Server. port) 

Flag 

HOC 

Last  sqn_no 

Tcp ( sqn_no  ) 

Access 

- 

Time  on 

Tcp  ( time) 

Time  last  tcp 

Tcp  ( time) 

Time  life 

Ack_wait_time 

Fact 

- 

Data 

- 

A. 2.  The  rule  determines,  that  the  input  tcp-message  with  a  flag  Ack  is  obtained,  this  message 
corresponds  to  the  last  phase  of  "hand  shake"  (see  Fig.A.4,  line  3  in  the  upper  window  and  also 
contents  of  two  windows  below,  this  rule  is  marked).  On  the  basis  of  a  sequence  number  a  record 
appropriate  to  this  connection  is  found  in  a  database,  and  on  the  basis  of  parameters  of  the  obtained 
message  a  modification  of  this  record  is  fulfilled  (table  A. 4). 
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Table  A  .4. 


M  odifi cation  of  the  record  attributes 

ID 

= 

IP  address 

= 

Port  destination 

= 

Flag 

Set  connection 

Last  sqn_no 

sqn_no  + 1 

Access 

- 

Time  on 

= 

Time  last  tcp 

Tcp  ( time) 

Time  life 

Connection  life  time 

Fact 

= 

Data 

- 

A. 2.1.  The  field  Fact  of  current  connection  does  not  contain  any  data  (Fig.A.4,  line  5  in  the 
upper  window).  This  condition  corresponds  to  normal  connection. 

A. 2. 2.  The  value  of  the  field  Fact  of  current  connection  is  Denial  of  service  (Fig.A.4,  line  6  in 
the  upper  window).  In  this  case  the  value  of  the  field  Fact  varies  on  Connect  imitation,  and  this 
information  is  transferred  to  the  agent  I  DAI. 

A. 3.  The  rule  determines  that  the  tcp-message  transmitting  the  data  is  obtained  (see  a  Fig.A.4,  line 
7  in  the  upper  window).  On  the  basis  of  the  message  sequence  number  in  a  data  base  a  record 
appropriate  to  this  connection  is  found,  and  on  the  basis  of  the  obtained  message  parameters  a 
modification  of  this  record  attributes  (table  A  .5)  is  fulfilled. 


Table  A. 5. 


M  odification  of  the  record  attributes 

ID 

= 

IP  address 

= 

Port  destination 

= 

Flag 

= 

Last  sqn_no 

Tcp  ( sqn_no ) 

Access 

= 

Time  on 

= 

Time  last  tcp 

Tcp  ( time) 

Time  life 

Connection  lifetime 

Fact 

= 

Data 

T  cp  (  data  ) 

A. 3.1.  The  rule  determines  that  the  connection  is  in  a  status  Set  connection,  and  dispatches  to 
agent  A! A  the  message  about  the  connection,  including  data  from  a  field  data  of  the  input  tcp- 
message  (see  Fig.A.4,  line  8  in  the  upper  window). 
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A. 3. 2.  The  rule  determines  that  the  connection  is  in  a  status  Login.  Besides  the  rule  dispatches 
to  agent  ACA  the  message  about  the  connection,  including  data  from  a  field  data  of  the  input 
tcp-message  (see  Fig.A.4,  line  9  in  the  upper  window). 

A  .4.  The  rule  determines  that  the  tcp-message  with  a  flag  Fin  is  obtained,  this  message  corresponds 
to  the  connection  closing  (see  Fig.A.4,  line  10  in  the  upper  window).  On  the  basis  of  the  message 
sequence  number  a  record  appropriate  to  the  connection  is  found  in  a  database. 

A. 4.1.  The  rule  determines  that  the  connection  is  in  a  status  Set  connection  (see  Fig.A.4,  line  11 
in  the  upper  window).  In  this  case  the  value  Empty  connection  is  assigned  to  attribute  Fact  in  a 
record  about  the  connection  and  the  information  about  a  connection  is  transferred  to  the  agent 
AD-PI. 

A  .4.2.  The  record  about  the  connection  is  deleted  from  the  agent's  database  (see  Fig.A.4,  line  12 
in  the  upper  window).  If  the  description  of  the  connection  contains  any  detected  fact  of  non- 
authorized  actions,  then  the  information  on  the  completed  connection  is  recorded  in  archive  of 
the  completed  connections. 

Script  B.  Supervision  of  a  lifetime  of  the  connections  in  current  statuses 


iTCiJIfi 


F ig. A. 5.  R ul es  of  the  ti me  stamps  processi ng 

B.l.  The  condition  of  the  rule  determines  that  the  message  on  a  current  value  of  the  model  time  is 
obtained  (see  Fig.A.5,  line  1  in  the  upper  window). 

B. 1.1.  The  rule  sets  the  order  of  execution  of  the  subsequent  rules  of  this  level  in  a  decision  tree 
(see  Fig.A.5,  line  2  in  the  upper  window). 

B.l. 2.  The  rule  discovers  the  first  record  about  the  connection,  in  which  the  connection  life  time 
is  delayed  in  a  current  status  (a  selection  condition  is  Exist  Connect,  where  time_tast_tcp  + 
lifejime  >  currentjime )  (see  Fig.A.5,  line  3  in  the  upper  window). 
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B. 1.2.1.  The  connection  from  a  status  HOC  (Half  open  connection)  is  transferred  in  a  status 
Bad  connection,  the  appropriate  life  time  value  is  assigned  to  the  attribute  Lifejime,  and  the 
message  on  the  connection  status  is  transferred  to  the  agent  AD  -PI  (see  Fig.A.5,  line  4  in  the 
upper  window  and  also  contents  of  two  windows  bellow,  this  rule  is  marked). 

B. 1.2.2.  The  connection  from  a  status  Set  connection  is  transferred  to  the  status  Bad  set 
connection  and  this  information  is  transmitted  to  the  agent  AD-PI,  then  the  record  about  the 
connection  is  deleted  from  a  database  and  is  recorded  in  archive  of  the  completed 

connections  (see  Fig.A5,  line  5  in  the  upper  window). 

B.l.2.3.  The  connection  is  in  a  status  Log.  In  this  case  a  record  is  deleted  from  a  database 
(see  Fig.A.5,  line  6  in  the  upper  window). 

B. 1.2.4.  The  connection  from  a  status  Set  connection  is  transferred  to  BSC  (Bad  set 

connection)  and  this  information  is  transmitted  to  the  agent  A D -PI,  then  the  record  about  the 

connection  is  deleted  from  a  database  and  is  recorded  in  archive  of  the  completed 

connections  (see  Fig.A.5,  line  7  in  the  upper  window). 

Script  C.  Responses  on  the  facts  about  the  connections 


flulat 


Fig.A.6.  Rules  of  the  registration  of  the  detected  facts  in  connections 

C.l.  The  rule  determines  that  the  message  (from  the  agent  AD -PI  of  other  host)  about  detection  of 
attack  Denial  of  Service  has  come  (see  Fig.A.6,  line  1  in  the  upper  window).  The  message  arrives 
in  the  format  of  table  A. 6. 

C.1.1.  The  rule  searches  a  record  about  the  connection  from  a  host  H  opened  in  a  preset  time 
interval  (see  Fig.A.6,  line  2  in  the  upper  window  and  also  contents  of  two  windows  below,  this 
rule  is  marked).  The  search  of  such  record  is  fulfilled  using  the  address  of  a  host  FI  and  the 
defined  time  interval.  If  such  connection  is  retrieved,  then  in  appropriate  record  the  value  Denial 
of  service  of  attribute  Fact  varies  on  a  value  Connect  imitation. 
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C.1.2.  The  rule  checks  that  during  a  preset  time  interval  the  connection  from  a  host  H  was  not 
open  (see  Fig.A.6,  line  3  in  the  upper  window).  In  this  case  the  obtained  warning  is  recorded  in 
the  agent's  database  and  is  used  further  during  the  rule  A  .1.1  execution. 


Table  A. 6 


Initial  record 

ID 

- 

IP  address 

Tcp  (  Client.address  )  HostH 

Port  destination 

- 

Flag 

- 

Last  sqn_no 

- 

Access 

- 

Time  on 

- 

Time  lasttcp 

- 

Time  life 

- 

Fact 

Denial  of  service 

Data 

- 

C.2.  The  rule  determines  that  the  answer  message  from  the  agent  AIA  about  the  identification  and 
authentication  results  has  come  (see  Fig.A.6,  line  4  in  the  upper  window). 

C.2.1.  The  value  of  a  flag  Log  in  the  obtained  connection  testifies  to  a  successful  identification 
and  authentication  (see  Fig.A.6,  line  5  in  the  upper  window).  In  this  case  in  the  connection 
record  of  the  agent's  database  the  status  flag  changes  to  Log,  and  the  access  level  defined  by  the 
agent  AIA  according  to  access  control  rules  is  assigned  to  attribute  Access. 

C.2.2.  This  case  corresponds  to  a  negative  result  of  the  identification  and  authentication  (see 
Fig.A.6,  line  6  in  the  upper  window).  The  connection  remains  in  the  status  Set  connection,  and 
the  value  Bad  login  is  assigned  to  the  attribute  Fact. 


Al.2.2.  Scripts  of  the  agent  AD-PI  operation 

The  main  function  of  this  class  agent  (see  Fig.A.7)  is  a  support  of  a  current  quantity  statistics 
of  open  connections  for  detection  of  the  port  scanning  and  Syn  flood  attack  of  the  class  Denial  of 
service.  Fig.A.8  can  be  an  informative  explanation  of  the  behaviour  script,  defined  for  this  agent. 
Formal  tag  of  port  scanning  is  the  quantity  of  the  connections  opened  from  one  host.  The 


Agent  daemon 


C  ontents  of 
the  input 
messages 

•  Cnc 


Behaviour  scripts 


Script  1 


C  ontents  of 

the  output 

messages 

•  Cnc 

•  Cnc 

(Port_scan) 

P  |  D  A 1 

•  Cnc 

(Denial  of 

service 

- ►  IDA2 

Fig.A.7.  Common  scheme  of  the  agent  AD-PI  operation 
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conclusion  about  possible  port  scanning  can  be  done  if  the  connections  quantity  will  exceed  a 
preset  threshold.  This  conclusion  is  for  construction  of  a  rule  of  the  port  scanning  detection. 
However  on  this  basis  it  is  possible  to  generate  a  more  exact  rule  taking  into  account  variety  of 


N  umber  of  half  open  connections  (for  Port  scanning) 


k, 

M  ax  number 

/  Port  sc 

arming  detecti 

)n 

Scan  life 

Scan  life 

Scan  life 

w 

t 

Fig.A.8.  Graphical  representation  of  rules  of  attack  detection  by  the  agent  AD -PI 

ports  and  also  presence  of  informative  actions  in  these  connections. 

A  formal  tag  of  the  Syn  flood  attack  realization  is  a  quantity  of  connections  on  the  same  port 
in  a  current  instant  in  a  status  Bad  connection.  The  conclusion  about  possible  development  of  this 
attack  is  done  if  the  connections  quantity  exceeds  a  preset  threshold. 

For  construction  of  these  detection  rules  an  agent  AD-PI  should  use  the  reserved  attribute  N 
(number  of  the  connections  possessing  defined  parameters)  of  defined  concept  "current 
connection"  (seethe  table  A. 1). 

Script  A.  The  supervision  of  a  quantity  of  the  "bad"  connections 

A.l.  The  condition  of  the  rule  determines  that  the  message  about  the  connection  transferred  to  a 
status  Bad  connection  has  come  (seefig.A9,  line  1  in  the  upper  window). 


Fig.A.9.  Rules  of  the  "bad"  connections  generalization 
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A. 1.1.  The  rule  determines  that  already  there  are  connections  with  the  same  host  in  a  status  Bad 
connection  and  magnifies  a  value  N  on  1  in  appropriate  record  of  concept  "current  connection" 
(see  Fig.A.9,  line  2  in  the  upper  window).  For  a  search  of  the  necessary  record  the  following 
parameters  are  used:  IP  address,  Port  destination  and  a  value  Bad  connection  of  the  connection 
status  in  afield  Flag. 

A. l.1.1.  If  the  value  N  has  exceeded  a  preset  maximum  threshold,  then  the  value  Denial  of 
service  [Syn  Flood )  is  assigned  to  a  field  Fact,  and  the  instant,  when  the  last  connection  has 
transferred  to  a  status  8acf  connection,  is  recorded  in  a  field  Time  lasttcp  (see  Fig.A.9,  line  3 
in  the  upper  window,  and  also  contents  of  two  windows  below,  this  rule  is  marked).  The 
message  about  the  detected  fact  is  transmitted  to  all  agents  IDA1  of  other  hosts,  and  also  to 
agent  IDA2  of  the  same  defended  host. 

A. 1.2.  The  rule  determines  that  for  the  present  there  are  no  connections  with  the  host  that  send 
message  in  a  status  Bad  connection  (see  Fig.A.9,  line  4  in  the  upper  window).  In  this  case  a  new 
record  with  appropriate  parameters  from  the  obtained  message  is  registered,  and  the  value  1  is 
assigned  to  N. 

B.l.  The  rule  determines  that  the  message  about  the  connection  breaking  in  a  status  Bad  connection 
on  the  lifetime  has  come  (see  Fig.A.9,  line  5  in  the  upper  window). 

B. 1.1.  The  rule  discovers  in  the  agent's  database  an  appropriate  record  and  reduces  the  value  N 
on  1  in  this  record  (see  Fig.A.9,  line  6  in  the  upper  window). 

B. l. 1.1.  If  the  value  N  became  equal  0,  then  the  record  is  deleted  (see  Fig.A.9,  line  7  in  the 
upper  window). 


C.l.  The  rule  determines  that  the  message  about  the  beginning  of  the  new  connection  has  come 
from  some  host  (see  Fig.A.9,  line  8  in  the  upper  window). 

C.1.1.  The  rule  discovers  in  the  agent's  database  an  appropriate  record  and  magnifies  the  value 
N  on  1  in  this  record  (see  Fig.A.9,  line  9  in  the  upper  window).  For  a  search  of  the  necessary 
record  the  following  parameters  are  used:  IP  address  and  the  value  of  the  connection  status  Ha/f 
open  connection. 

C.l. 1.1.  The  rule  checks  that  the  open  connections  count  time  has  not  exceeded  a  preset  time 
interval,  and  the  open  connections  quantity  has  exceeded  a  preset  threshold  (see  Fig.A.9,  line 
10  in  the  upper  window).  If  this  condition  appears  true,  then  a  conclusion  about  port 
scanning  is  generated  and  the  message  about  this  fact  is  transferred  to  the  agent  IDA2  of  the 
same  host. 

C.l. 1.2.  The  rule  checks  that  the  open  connections  count  time  has  exceeded  a  preset  time 
interval  (seeFig.A.9,  line  11  in  the  upper  window).  In  thiscasethe  relevant  record  is  deleted. 

C.l. 2.  This  rule  works  if  the  rule  C.1.1  has  not  found  a  necessary  record  in  the  agent's  database 
(see  Fig.A.9,  line  12  in  the  upper  window).  In  this  case  a  new  record  with  parameters  from  the 
arrived  message  is  registered,  and  the  value  1  is  assigned  to  N. 

Al.2.3.  Scripts  of  the  agent  AD-P2  operation 

The  agent  AD-P2  is  responsible  for  detection  of  attacks  Port  scanning  (on  an  application 
layer),  Finger  search  and  Buffer  overflow  (Fig.A.10).  Formal  tag  for  these  types  attacks  detection  is 
a  presence  of  a  defined  string  in  a  data  field  of  the  input  tcp-message  addressed  to  the  defined  port. 
For  example,  under  port  scanning  the  tcp-packet  field  Data  can  include  a  substring  "expn 
cybercop"  at  call  to  a  port  25.  The  collection  of  examples  of  the  similar  sort  possible  combinations 
is  established  in  the  auxiliary  table  PT.  One  of  three  possible  decisions  is  compared  to  each 
combination  in  this  table: 

•  Port  scanning, 
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•  Cnc  (Port 
scanning) 

•  Cnc  (Buffer 
overflow) 

•  Cnc  (Finger 
search) 


> 


Fig. A. 10.  Common  scheme  of  the  agent  AD-P2  operation 


DA2 


•  F inger  search, 

•  Buffer  overflow. 


Fig. A. 11.  Rules  of  the  agents  AD-P2  behaviour 

A.l.  The  rule  uses  data  from  a  description  of  the  current  connection,  to  which  the  input  tcp- 
message  concerns  (see  Fig.A.ll,  line  1  in  the  upper  window).  At  this  tcp-message  preprocessing 
stage  the  actual  information  (in  particular  a  port  number  and  string  from  a  tcp-packet  data  field) 
was  transferred  to  the  connection  description.  The  rule  receives  these  data  and  checks  them  on  a 
presence  of  an  identical  data  in  the  auxiliary  table  P  T. 

A.l. 1/2/3.  If  the  rule  A1  has  detected  one  of  three  enumerated  attack  classes,  then  the  next  three 
subordinate  rules  register  this  result  in  a  field  Fact  of  the  current  connection  description  (see 
Fig.A.ll,  lines  2-4  in  the  upper  window). 
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A.1.4.  At  detection  of  the  attack  fact  this  rule  generates  the  appropriate  message  to  the  agent 
IDA2  (see  Fig.  A.ll,  line  5  in  the  upper  window). 


Al.2.4.  Scripts  of  the  agent  AIA  operation 


Fig.A.12.  Common  scheme  of  the  agent  AIA  operation 

Script  A.  Check  of  the  user's  name  and  password 


Fig. A. 13.  Rules  of  the  agents  AIA  behaviour 

The  agents  AIA  behaviour  is  determined  by  two  generalized  rules  A.l  and  B.l.  The  first  rule 
makes  an  identification  of  a  login  name,  and  the  second  rule  checks  a  password. 

A.l.  The  rule  determines  that  an  input  message  contains  a  login  name  (see  a  Fig.A.13,  line  1). 
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A.1.1.  The  rule  determines  that  an  attempt  of  a  name  input  for  the  connection  establishment  is 
not  the  first  within  the  current  connection  (see  Fig.A.13,  line  2). 

A.l.1.1.  The  rule  determines  that  the  input  name  is  contained  in  the  table  of  names  of  the 
users  having  the  right  on  operation  with  a  host  (see  a  Fig.A.13,  line  3).  In  this  case  the  value 
user_ok  is  recorded  in  a  field  Fact  of  the  current  connection  description. 

A.1.1. 2.  The  rule  determines  that  the  table  of  names  of  the  users  does  not  contain  the  input 
name  (see  Fig.A.13,  line  4).  In  this  case  a  value  of  the  access  attempts  counter  is  magnified 
on  1. 

A. 1.1. 2.1.  If  the  access  attempts  quantity  is  more  than  a  preset  threshold,  then  a  login 
name  guessing  conclusion  is  adduced,  and  a  message  about  this  fact  is  sent  to  the  agent 
IDA2  (see  Fig.A.13,  line  5). 

A. 1.2.  The  rule  determines  that  the  login  name  input  attempt  for  a  connection  establishment  is 
the  first  within  the  current  connection  (see  Fig.A.13,  line  6). 

A.1.2. 1.  The  rule  determines  that  the  input  name  is  contained  in  the  table  of  names  of  the 
users  having  the  right  on  operation  with  a  host  (see  a  Fig.A.13,  line  7).  In  this  case  the  value 
user_ok  is  recorded  in  a  field  Fact  of  the  current  connection  description.  The  value  of  the 
host  access  attempts  counter  remains  equal  0. 

A. 1.2. 2.  The  rule  determines  that  the  table  of  names  of  the  users  does  not  contain  the  input 
name  (see  Fig.A.13,  line  8).  In  this  case  the  value  1  is  assigned  to  the  access  attempts 
counter. 

B.l.  The  rule  determines  that  a  user's  password  is  in  the  input  message  data  field  (see  a  Fig.A.13, 
line  9). 

B. 1.1.  The  rule  checks  that  a  login  name  existing  in  the  users'  names  and  passwords  table  was 
entered  (see  a  Fig.A.13,  line  10).  This  table  contains  the  names  and  passwords  of  the  users 
having  the  right  on  operation  with  a  host. 

B. l. 1.1.  The  rule  determines  that  the  input  password  is  contained  in  the  users'  names  and 
passwords  table  and  corresponds  to  the  login  name  input  earlier  (see  Fig.A.13,  line  11).  The 
user's  access  rights  are  assigned  on  the  basis  of  the  same  table.  The  message  about  a 
successful  access  with  the  indication  of  access  rights  in  the  current  connection  description 
field  Access  is  transmitted  to  the  agent  AD -E. 

B.l. 1.2.  The  rule  determines  that  the  input  password  is  incorrect  and  magnifies  the  access 
attempts  counter  on  1  (see  Fig.A.13,  line  12). 

B. l. 1.2.1.  If  the  host  access  attempts  quantity  is  more  than  a  preset  threshold,  then  a  login 
name  and  password  guessing  conclusion  is  adduced,  and  a  message  about  this  fact  is  sent 
to  the  agent  IDA2  (see  Fig.A.13,  line  13). 

Al.2.5.  Scripts  of  the  agent  ACA  operation 

The  common  scheme  of  the  agent  ACA  operation  is  represented  in  Fig.A.14. 
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Fig.A.14  Common  scheme  of  the  agent  ACA  operation 
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Script  A.  Check  of  the  access  rights 

The  message  including  the  user's  access  rights  and  the  input  tcp-message  data  field  contents 
arrives  to  the  agent  AC  A  (see  Fig.A.15,  line  1).  If  the  actions  defined  in  the  data  field  correspond  to 
the  available  rights,  then  the  first  rule  transmits  the  obtained  message  to  the  agent  AD-P2  (see 
Fig.A.15,  line  2).  If  the  access  violation  attempt  is  detected,  then  the  second  rule  transmits  this  fact 
to  the  agent  IDA2  (see  Fig.A.15,  line  3,  and  also  contents  of  two  windows  below,  this  rule  is 
marked). 


Fig. A. 15.  Rules  of  the  agents  A CA  behavior 

Al.2.6.  Scripts  of  the  agent  IDA1  operation 

The  common  scheme  of  the  agent  IDA1  operation  is  represented  in  Fig.A.16. 


Fig. A. 16.  Common  scheme  of  the  agent /DAI  operation 

The  agents  ID  A 1  fulfill  the  task  of  the  Combined  spoofing  attack  detection.  In  Case  study  the 
base  mechanisms  of  this  task  decision  are  realized.  The  sequence  diagram  (Fig.A.17)  explains  an 
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IDA1  (CSA)  : 

Desicions 


Agent  daemon 


Desicions 


IDA2(Decision) 


order  of  the  agents'  interaction.  For 
implementation  of  a  more  complete 
task  solution  the  following  agents' 
dialogues  is  necessary  to  add  in  the 
scheme  of  the  agents'  interaction. 

•  At  obtaining  a  message  about  the 

fact  of  the  presumable  attack 
Denial  of  service  from  a  host  H, 
the  agent  IDA1  can  inquire  this 
host  for  a  supposition 

confirmation. 

•  At  obtaining  the  tcp-message  I 

with  a  flag  SYN  from  the  host  I  I 

undergone  a  Denial  of  service, 

the  agent  IDA1  can  inquire  a  marginal  host  concerning  an  external  packet  presence  come 
simultaneously  with  this  message. 

Script  A.  Combined  spoofing  attack  detection 


T 


The  rules  of  the  agent  IDA1  behaviour  for  the  Combined  spoofing  attack  detection  are  represented 
in  Fig.A18. 

Al.  The  rule  determines  that  the  message  on  the  possible  attack  Denial  of  service  is  obtained  (see 
Fig.A18,  line  1).  On  the  basis  of  the  obtained  data  the  rule  transfers  to  the  agent  AD-E  a  message 
with  the  contents  represented  in  the  left  part  of  the  table  2  (from  the  description  of  the  agents  AD  -E 
behaviour). 

A2.  This  rule  fixes  the  tcp-message  with  a  flag  SY  N  obtained  from  the  attacked  host  (see  Fig.A18, 
line  2). 
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A3.  This  rule  fixes  a  termination  of  the  "hand  shake"  on  behalf  of  the  host  undergone  attack  Denial 
of  service,  and  concludes  a  fact  about  an  imitation  of  the  connection  on  behalf  of  this  host  (see 
Fig.A18,  line  3,  and  also  contents  of  two  windows  below,  this  rule  is  marked).  The  message  on  the 
detected  fact  is  transmitted  to  the  agent  IDA2. 

A  1.2.7.  Scripts  of  the  agent  I D  A 2  operation 

The  common  scheme  of  the  agent  IDA1  operation  is  represented  in  Fig.A.19. 
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Fig. A. 19.  Common  scheme  of  the  agent  IDA2  operation 

A.l.  The  rule  is  fulfilled,  if  the  message  about  a  host  access  attempt  by  a  login  name  and  password 
guessing  or  a  Combined  spoofing  attack  detection  is  arrived  (see  Fig.A.20,  lines  1  and  2).  In  this 
case  the  rule  parses  a  quantity  of  the  similar  sort  facts  for  a  preset  time  period.  If  this  quantity 
exceeds  a  preset  threshold,  then  a  conclusion  about  a  Host  penetration  is  generated  and  the  warning 
is  dispatched  to  the  administrator. 


Fig.A20.  Rules  of  the  agents  IDA2  behaviour 
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AA.2.  The  rule  is  fulfilled,  if  the  message  about  the  Port  scanning  or  Finger  search  facts  has 
arrived  (see  Fig.A.20,  lines  3  and  4,  and  also  contents  of  two  windows  below,  this  rule  is  marked). 
In  this  case  the  rule  parses  a  quantity  of  the  similar  sort  facts  for  a  preset  time  period.  If  this 
quantity  exceeds  a  preset  threshold,  then  a  conclusion  about  a  Reconnaissance  is  generated  and  the 
warning  is  dispatched  to  the  administrator. 
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